Ricky MondelloNov 7

I gave an opening keynote at the FIDO Alliance’s “Authenticate” conference a few weeks ago! Although it featured timely strategies and tips for professionals deploying passkeys, my primary goal was to explain, as clearly as I can, why passkeys are important and how we should use them to reduce the harm that passwords cause.

YouTube link: https://www.youtube.com/watch?v=otObbUSxcqs

I’m really proud of this talk and I hope you’ll watch it and share it with others. I put care in to making it approachable while still delivering my perspective and insights to security professionals. If you don’t get the “why” behind passkeys, this talk will help fill that gap.

Authenticate 2025 Keynote | Ricky Mondello, Apple | Get the Most Out of Passkeys

YouTube
Show threadBrandon ButlerNov 7

@rmondello What’s your thoughts on sites that use passkeys + a second form of authentication? GitHub is one that comes to mind.

Doesn’t that defeat one of the benefits?

Show threadGracjan Nowak

@brandonbutler @rmondello I think every service should allow users to have a fully passwordless account. If I already have an account and I register a passkey — allow me to get rid of my password and other factors (like SMS or TOTP). If I lose access to all my passkeys (which I know won't happen) or I need to sign in where they aren't supported, I can use a “magic link” or e-mail recovery as a last resort.

Also, it should be possible to register an account without ever creating a password.

Nov 20 at 4:48pmWeb